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REMARKS 

The Examiner is thanked for the performance of a thorough search. 

Claims 1-13, 15-39, 41-47, 49-62, 64-70, and 72 have been amended. Claims 48 and 71 
have been canceled. No claims have been added. Hence, Claims 1-13, 15-39, 41-47, 49-62, 64- 
70, and 72 are pending in the present application. 

The issues raised in the final Office Action mailed June 21, 2010 are addressed 
hereinafter. 

I. SUMMARY OF TELEPHONE INTERVIEW 

The Examiner is thanked for granting the courtesy of a telephone interview on 
September 7, 2010. Examiner Chea and Applicants' representative Stoycho D. Draganoff 
attended the interview. Claim 1 and proposed amendments thereof were discussed. The 
reference discussed was Cohen et al., U.S. Patent Application Publication No. US 
2005/0193430 ("COHEN"). An agreement regarding patentability was not reached. 

The Applicants' representative provided a brief overview of the subject matter to which 
Claim 1 is directed, and then pointed out the differences between Claim 1 and COHEN. The 
Examiner inquired how the proposed amendment to Claim 1 differs from the subject matter 
described in paragraph [0048] of COHEN. The Applicants' representative pointed out that in 
paragraph [0048] COHEN describes a system that checks some constraints against a starting 
point in a graph that represents a topology model of a network. Significantly, however, the 
constraints in COHEN are not ACLs; rather, the constraints appear to be directed to whether an 
attacker can gain access to a network node and whether a node has the ability to send or receive 
HTTP packets (e.g., as described in paragraphs [0032], [0075], and [0077] of COHEN. In 
contrast, Claim 1 features checking first information identifying a particular packet against an 
inbound ACL of a network device to determine whether ingress of the packet to the network 
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device is permitted and, if ingress is permitted, then checking the first information against the 
outbound ACL(s) of the network device to determine whether egress of the packet from the 
network device is permitted. Then, the same process is repeated for all neighbor network 
devices to which the particular packet is allowed to egress from the network node. The 
Examiner indicated that further consideration and/or search may be necessary when the 
discussed amendments to Claim 1 are officially submitted. 
II. OBJECTIONS TO THE CLAIMS 

Claims 49-62 and 64-70 were objected to because of an informality, namely, that one of 
skill in the art may interpret these claims to cover signals. To address this issue, the final 
Office Action suggested amending these claims to recite a " non-transitory computer-readable 
storage medium". Claims 49-62 and 64-70 have been amended herein according to the 
suggestion in the final Office Action. For this reason, reconsideration and withdrawal of the 
objection to Claims 49-62 and 64-70 is respectfully requested. 
IE. ISSUES RELATING TO THE CITED ART 

A. INDEPENDENT CLAIM 1 

Claim 1 was rejected as allegedly unpatentable under 35 U.S.C. § 103(a) over Cohen et 
al, U.S. Patent Application Publication No. US 2005/0193430 ("COHEN") in view of Milliken 
et al, U.S. Patent No. 7,200,105 ("MILLIKEN"). The rejection is respectfully traversed. 

Among other features, Claim 1 comprises: 

• • • 5 

receiving first information that identifies a packet; 

representing a possible travel of the packet in a network based on topology data and on 

security policy data; 
wherein the step of representing comprises: 

checking the first information against an inbound access control list (ACL), 
included in the security policy data, of an interface of a network device 
comprising a network entry point for the packet, wherein checking the 
first information against the inbound ACL includes determining 
whether the inbound ACL permits ingress of the packet at the 
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network device; 

if the inbound ACL permits the ingress of the packet at the network device, 
checking the first information against one or more outbound ACLs 
for each outbound interface of the network device to determine one 
or more possible outbound interfaces on which egress of the packet 
is permitted from the network device; 

repeating the checking steps for each neighbor network device, of the one or 
more neighbor network devices, that is connected to each of the one or 
more possible outbound interfaces; 

The final Office Action asserts that the above features of Claim 1 are described in COHEN. 
This assertion is incorrect. 

As discussed during the telephone interview on September 7, 2010, COHEN does not 
describe any functionality that checks packet-identifying information against inbound Access 
Control Lists (ACLs) and outbound ACLs of network device interfaces for the purposes of 
determining the possible penetration of a packet in a network. 

Rather, in paragraphs [0037]-[0048], COHEN describes the performance of an attack 
simulation. Specifically, in paragraphs [0038]-[0045], COHEN describes that an attack is 
simulated in part by evaluating constraints defined for all states of all services provided by 
network nodes, where a state of a service represents a result of an action performed on a 
network node. (See COHEN, paragraph [0032].) Significantly, however, the constraints 
evaluated in COHEN do not include ACLs associated with the interfaces of a network device. 
For example, in paragraph [0032] COHEN describes that a constraint may be associated with 
whether an attacker needs to gain knowledge of a management password or with whether a 
node has the ability to send HTTP packets to a web server. Further, in paragraph [0048] 
COHEN describes that a constraint may be associated with whether a node can receive HTTP 
packets, and in paragraph [0077] COHEN describes that a pre-condition for an attack may be 
whether a web server allows for buffer overflow. In the most telling example, paragraph 
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[0075] of COHEN describes a result table listing detected vulnerabilities along with the policy 
violations and the pre-conditions that are necessary to effectuate the vulnerabilities; however, 
the policy violations and the pre-conditions listed in this table do not describe or even suggest 
that ACLs associated with interfaces of a network device are used in determining the listed 
vulnerabilities. 

In contrast, the above features of Claim 1 indicate the functionalities of: checking first 
information , which identifies a packet, against the inbound ACL of a network device interface 
(which is the entry point of the packet in the network) to determine whether the inbound ACL 
permits ingress of the packet at the network device; if the inbound ACL permits the ingress of 
the packet at the network device, then checking the first information against one or more 
outbound ACLs of the outbound interfaces of the network device to determine on which 
outbound interfaces egress of the packet is permitted from the network device; and repeating 
the checking steps for each neighbor network device that is connected to an outbound interface 
on which egress of the packet is permitted from the network device. Since COHEN does not 
describe any functionalities that use ACLs of network device interfaces to determine whether a 
particular packet can ingress into and egress from a given network device, COHEN does not 
describe the above features of Claim 1 . 

Finally, it is noted that MILLIKEN does not cure the deficiencies of COHEN with 
respect to the above features of Claim 1 . The final Office Action does not assert and the 
Applicants could not find that MILLIKEN describes the above features of Claim 1. In fact, 
MILLIKEN does not even mention the terms "access control list" or "ACL". 

For the foregoing reasons COHEN and MILLIKEN, whether taken alone or in 
combination, do not describe or suggest all features of Claim 1. Thus, Claim 1 is patentable 
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under 35 U.S.C. § 103(a) over COHEN in view of MILLIKEN. Reconsideration and 
withdrawal of the rejection of Claim 1 is respectfully requested. 

B. INDEPENDENT CLAIMS 22, 25-27, 49, AND 72 

Claims 22, 25-27, 49, and 72 were rejected as allegedly unpatentable under 35 U.S.C. § 
103(a) over COHEN in view of MILLIKEN. 

Claims 22, 25-27, 49, and 72 include features similar to the features of Claim 1 
discussed above. For this reason, it is respectfully submitted that Claims 22, 25-27, 49, and 72 
are patentable under 35 U.S.C. § 103(a) over COHEN in view of MILLIKEN for at least the 
reasons given above with respect to Claim 1. Reconsideration and withdrawal of the rejection 
of Claims 22, 25-27, 49, and 72 is respectfully requested. 

C. DEPENDENT CLAIMS 2-13, 15-21, 23-24, 28-39, 41-47, 50-62, AND 64-70 
Claims 2-13, 15-21, 23-24, 28-39, 41-47, 50-62, and 64-70 were rejected as allegedly 

unpatentable under 35 U.S.C. § 103(a) over COHEN in view of MILLIKEN. 

Each of Claims 2-13, 15-21, 23-24, 28-39, 41-47, 50-62, and 64-70 depends from one 
of independent Claims 1, 22, 27, and 49, and thus includes each and every feature of the 
independent base claim. Thus, each of Claims 2-13, 15-21, 23-24, 28-39, 41-47, 50-62, and 
64-70 is allowable for at least the reasons given above for Claims 1, 22, 27, and 49. In 
addition, each of Claims 2-13, 15-21, 23-24, 28-39, 41-47, 50-62, and 64-70 introduces one or 
more additional features that independently render it patentable. However, due to the 
fundamental differences already identified, to expedite the positive resolution of this case a 
separate discussion of those features is not included at this time. Therefore, it is respectfully 
submitted that Claims 2-13, 15-21, 23-24, 28-39, 41-47, 50-62, and 64-70 are allowable for the 
reasons given above with respect to Claims 1, 22, 27, and 49. Reconsideration and withdrawal 
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of the rejection of Claims 2-13, 15-21, 23-24, 28-39, 41-47, 50-62, and 64-70 is respectfully 
requested. 

IV. CONCLUSION 

The Applicants believe that all issues raised in the final Office Action have been 
addressed. Further, for the reasons set forth above, the Applicants respectfully submit that 
allowance of the pending claims is appropriate. Entry of the RCE filed concurrently herewith 
and reconsideration of the present application are respectfully requested in light of the 
amendments and remarks herein. 

The Examiner is respectfully requested to contact the undersigned by telephone if it is 
believed that such contact would further the examination of the present application. 

A petition for extension of time, to the extent necessary to make this reply timely filed, 
is hereby made. If any applicable fee is missing or insufficient, throughout the pendency of this 
application, the Commissioner is hereby authorized to charge any applicable fees and to credit 
any overpayments to our Deposit Account No. 50-1302. 



Respectfully submitted, 

HICKMAN PALERMO TRUONG & BECKER LLP 

Dated: September 17, 2010 /StoychoDDraganoff#56 181/ 

Stoycho D. Draganoff 
Reg. No. 56,181 

2055 Gateway Place, Suite 550 
San Jose, California 95110-1089 
Telephone No.: (408) 414-1080 ext. 208 
Facsimile No.: (408) 414-1076 
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